Address comments

Signed-off-by: Lantao Liu <lantaol@google.com>
2017-09-25 23:09:02 +00:00 · 2017-09-25 23:09:02 +00:00 · 4231473df3
commit 4231473df3
parent 21233b22be
3 changed files with 23 additions and 10 deletions
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@ -30,9 +30,7 @@ import (
 	"github.com/docker/docker/pkg/mount"
 	"github.com/golang/glog"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
-	runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runc/libcontainer/devices"
-	runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/runtime-tools/validate"
@ -202,7 +200,7 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
 	apparmorSpecOpts, err := generateApparmorSpecOpts(
 		securityContext.GetApparmorProfile(),
 		securityContext.GetPrivileged(),
-		runcapparmor.IsEnabled())
+		c.apparmorEnabled)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate apparmor spec opts: %v", err)
 	}
@ -213,7 +211,7 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
 	seccompSpecOpts, err := generateSeccompSpecOpts(
 		securityContext.GetSeccompProfilePath(),
 		securityContext.GetPrivileged(),
-		runcseccomp.IsEnabled())
+		c.seccompEnabled)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate seccomp spec opts: %v", err)
 	}
@ -730,11 +728,23 @@ func defaultRuntimeSpec() (*runtimespec.Spec, error) {
 		mounts = append(mounts, mount)
 	}
 	spec.Mounts = mounts
+
+	// Make sure no default seccomp/apparmor is specified
+	if spec.Process != nil {
+		spec.Process.ApparmorProfile = ""
+	}
+	if spec.Linux != nil {
+		spec.Linux.Seccomp = nil
+	}
 	return spec, nil
 }

 // generateSeccompSpecOpts generates containerd SpecOpts for seccomp.
 func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (containerd.SpecOpts, error) {
+	if privileged {
+		// Do not set seccomp profile when container is privileged
+		return nil, nil
+	}
 	// Set seccomp profile
 	if seccompProf == runtimeDefault || seccompProf == dockerDefault {
 		// use correct default profile (Eg. if not configured otherwise, the default is docker/default)
@ -746,10 +756,6 @@ func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool
 		}
 		return nil, nil
 	}
-	if privileged {
-		// Do not set seccomp profile when container is privileged
-		return nil, nil
-	}
 	switch seccompProf {
 	case "", unconfinedProfile:
 		// Do not set seccomp profile.
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@ -26,7 +26,6 @@ import (
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	"github.com/golang/glog"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
-	runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
 	runtimespec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"golang.org/x/net/context"
@ -133,7 +132,7 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
 	seccompSpecOpts, err := generateSeccompSpecOpts(
 		securityContext.GetSeccompProfilePath(),
 		securityContext.GetPrivileged(),
-		runcseccomp.IsEnabled())
+		c.seccompEnabled)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate seccomp spec opts: %v", err)
 	}
--- a/pkg/server/service.go
+++ b/pkg/server/service.go
@ -31,6 +31,8 @@ import (
 	"github.com/containerd/containerd/plugin"
 	"github.com/cri-o/ocicni/pkg/ocicni"
 	"github.com/golang/glog"
+	runcapparmor "github.com/opencontainers/runc/libcontainer/apparmor"
+	runcseccomp "github.com/opencontainers/runc/libcontainer/seccomp"
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 	"k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime"
@ -66,6 +68,10 @@ type criContainerdService struct {
 	config options.Config
 	// imageFSUUID is the device uuid of image filesystem.
 	imageFSUUID string
+	// apparmorEnabled indicates whether apparmor is enabled.
+	apparmorEnabled bool
+	// seccompEnabled indicates whether seccomp is enabled.
+	seccompEnabled bool
 	// server is the grpc server.
 	server *grpc.Server
 	// os is an interface for all required os operations.
@ -117,6 +123,8 @@ func NewCRIContainerdService(config options.Config) (CRIContainerdService, error

 	c := &criContainerdService{
 		config:              config,
+		apparmorEnabled:     runcapparmor.IsEnabled(),
+		seccompEnabled:      runcseccomp.IsEnabled(),
 		os:                  osinterface.RealOS{},
 		sandboxStore:        sandboxstore.NewStore(),
 		containerStore:      containerstore.NewStore(),